Permalink
Browse files

Fix:Server-side scripts security flaw - The example server-side scripts

had an injection vunrebility where paging and sorting could be exploited
- 13314. DataTables 1.9.4 has been reissued with these fixes.
  • Loading branch information...
DataTables committed Dec 21, 2012
1 parent 36fc3cc commit 86cc702539191ed67432c9aaeaeed89bf1805cb3
@@ -128,8 +128,8 @@ <h1>Server side (PHP) code</h1>
$sLimit = "";
if ( isset( $_GET['iDisplayStart'] ) &amp;&amp; $_GET['iDisplayLength'] != '-1' )
{
- $sLimit = "LIMIT ".mysql_real_escape_string( $_GET['iDisplayStart'] ).", ".
- mysql_real_escape_string( $_GET['iDisplayLength'] );
+ $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+ intval( $_GET['iDisplayLength'] );
}
@@ -145,7 +145,7 @@ <h1>Server side (PHP) code</h1>
if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
{
$sOrder .= "`".$aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."` ".
- mysql_real_escape_string( $_GET['sSortDir_'.$i] ) .", ";
+ ($_GET['sSortDir_'.$i]==='asc' ? 'asc' : 'desc') .", ";
}
}
@@ -69,7 +69,7 @@ <h1>Initialisation code</h1>
$('#example').dataTable( {
"bProcessing": true,
"bServerSide": true,
- "sAjaxSource": "scripts/server_processing.php"
+ "sAjaxSource": "scripts/server_processing.php",
"fnServerParams": function ( aoData ) {
aoData.push( { "name": "more_data", "value": "my_value" } );
}
@@ -59,8 +59,8 @@ function fatal_error ( $sErrorMessage = '' )
$sLimit = "";
if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
{
- $sLimit = "LIMIT ".mysql_real_escape_string( $_GET['iDisplayStart'] ).", ".
- mysql_real_escape_string( $_GET['iDisplayLength'] );
+ $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+ intval( $_GET['iDisplayLength'] );
}
@@ -75,8 +75,8 @@ function fatal_error ( $sErrorMessage = '' )
{
if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
{
- $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
- ".mysql_real_escape_string( $_GET['sSortDir_'.$i] ) .", ";
+ $sOrder .= "`".$aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."` ".
+ ($_GET['sSortDir_'.$i]==='asc' ? 'asc' : 'desc') .", ";
}
}
@@ -59,8 +59,8 @@ function fatal_error ( $sErrorMessage = '' )
$sLimit = "";
if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
{
- $sLimit = "LIMIT ".mysql_real_escape_string( $_GET['iDisplayStart'] ).", ".
- mysql_real_escape_string( $_GET['iDisplayLength'] );
+ $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+ intval( $_GET['iDisplayLength'] );
}
@@ -75,8 +75,8 @@ function fatal_error ( $sErrorMessage = '' )
{
if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
{
- $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] )-1 ]."
- ".mysql_real_escape_string( $_GET['sSortDir_'.$i] ) .", ";
+ $sOrder .= "`".$aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."` ".
+ ($_GET['sSortDir_'.$i]==='asc' ? 'asc' : 'desc') .", ";
}
}
@@ -31,8 +31,8 @@ function fatal_error ( $sErrorMessage = '' )
$sLimit = "";
if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
{
- $sLimit = "LIMIT ".mysql_real_escape_string( $_GET['iDisplayStart'] ).", ".
- mysql_real_escape_string( $_GET['iDisplayLength'] );
+ $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+ intval( $_GET['iDisplayLength'] );
}
/* Ordering */
@@ -59,8 +59,8 @@ function fatal_error ( $sErrorMessage = '' )
$sLimit = "";
if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
{
- $sLimit = "LIMIT ".mysql_real_escape_string( $_GET['iDisplayStart'] ).", ".
- mysql_real_escape_string( $_GET['iDisplayLength'] );
+ $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+ intval( $_GET['iDisplayLength'] );
}
@@ -75,8 +75,8 @@ function fatal_error ( $sErrorMessage = '' )
{
if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
{
- $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
- ".mysql_real_escape_string( $_GET['sSortDir_'.$i] ) .", ";
+ $sOrder .= "`".$aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."` ".
+ ($_GET['sSortDir_'.$i]==='asc' ? 'asc' : 'desc') .", ";
}
}
@@ -59,8 +59,8 @@ function fatal_error ( $sErrorMessage = '' )
$sLimit = "";
if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
{
- $sLimit = "LIMIT ".mysql_real_escape_string( $_GET['iDisplayStart'] ).", ".
- mysql_real_escape_string( $_GET['iDisplayLength'] );
+ $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+ intval( $_GET['iDisplayLength'] );
}
@@ -75,8 +75,8 @@ function fatal_error ( $sErrorMessage = '' )
{
if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
{
- $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
- ".mysql_real_escape_string( $_GET['sSortDir_'.$i] ) .", ";
+ $sOrder .= "`".$aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."` ".
+ ($_GET['sSortDir_'.$i]==='asc' ? 'asc' : 'desc') .", ";
}
}
@@ -59,8 +59,8 @@ function fatal_error ( $sErrorMessage = '' )
$sLimit = "";
if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
{
- $sLimit = "LIMIT ".mysql_real_escape_string( $_GET['iDisplayStart'] ).", ".
- mysql_real_escape_string( $_GET['iDisplayLength'] );
+ $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+ intval( $_GET['iDisplayLength'] );
}
@@ -75,8 +75,8 @@ function fatal_error ( $sErrorMessage = '' )
{
if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
{
- $sOrder .= $aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."
- ".mysql_real_escape_string( $_GET['sSortDir_'.$i] ) .", ";
+ $sOrder .= "`".$aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."` ".
+ ($_GET['sSortDir_'.$i]==='asc' ? 'asc' : 'desc') .", ";
}
}
@@ -59,8 +59,8 @@ function fatal_error ( $sErrorMessage = '' )
$sLimit = "";
if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
{
- $sLimit = "LIMIT ".mysql_real_escape_string( $_GET['iDisplayStart'] ).", ".
- mysql_real_escape_string( $_GET['iDisplayLength'] );
+ $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+ intval( $_GET['iDisplayLength'] );
}
@@ -76,8 +76,8 @@ function fatal_error ( $sErrorMessage = '' )
if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
{
$iColumnIndex = array_search( $_GET['mDataProp_'.$_GET['iSortCol_'.$i]], $aColumns );
- $sOrder .= $aColumns[ $iColumnIndex ]."
- ".mysql_real_escape_string( $_GET['sSortDir_'.$i] ) .", ";
+ $sOrder .= "`".$aColumns[ $iColumnIndex ]."` ".
+ ($_GET['sSortDir_'.$i]==='asc' ? 'asc' : 'desc') .", ";
}
}
@@ -59,8 +59,8 @@ function fatal_error ( $sErrorMessage = '' )
$sLimit = "";
if ( isset( $_GET['iDisplayStart'] ) && $_GET['iDisplayLength'] != '-1' )
{
- $sLimit = "LIMIT ".mysql_real_escape_string( $_GET['iDisplayStart'] ).", ".
- mysql_real_escape_string( $_GET['iDisplayLength'] );
+ $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+ intval( $_GET['iDisplayLength'] );
}
@@ -76,8 +76,8 @@ function fatal_error ( $sErrorMessage = '' )
if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
{
$iColumnIndex = array_search( $_GET['mDataProp_'.$_GET['iSortCol_'.$i]], $aColumns );
- $sOrder .= $aColumns[ $iColumnIndex ]."
- ".mysql_real_escape_string( $_GET['sSortDir_'.$i] ) .", ";
+ $sOrder .= "`".$aColumns[ $iColumnIndex ]."` ".
+ ($_GET['sSortDir_'.$i]==='asc' ? 'asc' : 'desc') .", ";
}
}
@@ -59,8 +59,8 @@ function fatal_error ( $sErrorMessage = '' )
$sLimit = "";
if ( isset( $_POST['iDisplayStart'] ) && $_POST['iDisplayLength'] != '-1' )
{
- $sLimit = "LIMIT ".mysql_real_escape_string( $_POST['iDisplayStart'] ).", ".
- mysql_real_escape_string( $_POST['iDisplayLength'] );
+ $sLimit = "LIMIT ".intval( $_POST['iDisplayStart'] ).", ".
+ intval( $_POST['iDisplayLength'] );
}
@@ -74,8 +74,8 @@ function fatal_error ( $sErrorMessage = '' )
{
if ( $_POST[ 'bSortable_'.intval($_POST['iSortCol_'.$i]) ] == "true" )
{
- $sOrder .= $aColumns[ intval( $_POST['iSortCol_'.$i] ) ]."
- ".mysql_real_escape_string( $_POST['sSortDir_'.$i] ) .", ";
+ $sOrder .= "`".$aColumns[ intval( $_POST['iSortCol_'.$i] ) ]."` ".
+ ($_POST['sSortDir_'.$i]==='asc' ? 'asc' : 'desc') .", ";
}
}
@@ -75,7 +75,7 @@ function fatal_error ( $sErrorMessage = '' )
if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
{
$sOrder .= "`".$aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."` ".
- mysql_real_escape_string( $_GET['sSortDir_'.$i] ) .", ";
+ ($_GET['sSortDir_'.$i]==='asc' ? 'asc' : 'desc') .", ";
}
}
@@ -141,8 +141,8 @@ <h1>Server side (PHP) code</h1>
$sLimit = "";
if ( isset( $_GET['iDisplayStart'] ) &amp;&amp; $_GET['iDisplayLength'] != '-1' )
{
- $sLimit = "LIMIT ".mysql_real_escape_string( $_GET['iDisplayStart'] ).", ".
- mysql_real_escape_string( $_GET['iDisplayLength'] );
+ $sLimit = "LIMIT ".intval( $_GET['iDisplayStart'] ).", ".
+ intval( $_GET['iDisplayLength'] );
}
@@ -158,7 +158,7 @@ <h1>Server side (PHP) code</h1>
if ( $_GET[ 'bSortable_'.intval($_GET['iSortCol_'.$i]) ] == "true" )
{
$sOrder .= "`".$aColumns[ intval( $_GET['iSortCol_'.$i] ) ]."` ".
- mysql_real_escape_string( $_GET['sSortDir_'.$i] ) .", ";
+ ($_GET['sSortDir_'.$i]==='asc' ? 'asc' : 'desc') .", ";
}
}

0 comments on commit 86cc702

Please sign in to comment.